Posts Tagged: Zack Whittaker


5
Dec 19

Apple Explains Mysterious iPhone 11 Location Requests

KrebsOnSecurity ran a story this week that puzzled over Apple‘s response to inquiries about a potential privacy leak in its new iPhone 11 line, in which the devices appear to intermittently seek the user’s location even when all applications and system services are individually set never to request this data. Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

I published Tuesday’s story mainly because Apple’s initial and somewhat dismissive response — that this was expected behavior and not a bug — was at odds with its own privacy policy and with its recent commercials stating that customers should be in full control over what they share via their phones and what their phones share about them.

But in a statement provided today, Apple said the location beaconing I documented in a video was related to Ultra Wideband technology that “provides spatial awareness allowing iPhone to understand its position relative to other Ultra Wideband enabled devices (i.e. all new iPhone 11s, including the Pro and Pro Max).

Ultra-wideband (a.k.a UWB) is a radio technology that uses a very low energy level for short-range, high-bandwidth communications of a large portion of the radio spectrum without interfering with more conventional transmissions.

“So users can do things like share a file with someone using AirDrop simply by pointing at another user’s iPhone,” Apple’s statement reads. The company further explained that the location information indicator (a small, upward-facing arrow to the left of the battery icon) appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

“Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” the statement continues. “iOS uses Location Services to help determine if iPhone is in these prohibited locations in order to disable Ultra Wideband and comply with regulations. The management of Ultrawide Band compliance and its use of location data is done entirely on the device and Apple is not collecting user location data.” Continue reading →


21
Oct 19

Avast, NordVPN Breaches Tied to Phantom User Accounts

Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.

Based in the Czech Republic, Avast bills itself as the most popular antivirus vendor on the market, with over 435 million users. In a blog post today, Avast said it detected and addressed a breach lasting between May and October 2019 that appeared to target users of its CCleaner application, a popular Microsoft Windows cleanup and repair utility.

Avast said it took CCleaner downloads offline in September to check the integrity of the code and ensure it hadn’t been injected with malware. The company also said it invalidated the certificates used to sign previous versions of the software and pushed out a re-signed clean update of the product via automatic update on October 15. It then disabled and reset all internal user credentials.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” Avast’s Jaya Baloo wrote.

This is not the first so-called “supply chain” attack on Avast: In September 2018, researchers at Cisco Talos and Morphisec disclosed that hackers had compromised the computer cleanup tool for more than a month, leading to some 2.27 million downloads of the corrupt CCleaner version.

Avast said the intrusion began when attackers used stolen credentials for a VPN service that was configured to connect to its internal network, and that the attackers were not challenged with any sort of multi-factor authentication — such as a one-time code generated by a mobile app.

“We found that the internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and did not require 2FA,” Baloo wrote. Continue reading →